Nearly four out of five crypto projects that suffer a major hack never fully regain their footing, according to Mitchell Amador, CEO of Web3 security platform Immunefi.
Amador told Cointelegraph that most protocols enter a state of paralysis the moment an exploit is discovered. “Most protocols are fundamentally unaware of the extent to which they are exposed to hacks, and are not operationally prepared for a major security incident,” he said.
According to Amador, the first hours after a breach are often the most damaging. Without a predefined incident plan, teams hesitate, debate next steps and underestimate how deep the compromise may go. “Decision-making slows as teams scramble to understand what happened, leading to improvization and delayed action,” he said, adding that this is frequently when additional losses occur.
Projects often avoid pausing smart contracts out of fear of reputational damage, while communication with users breaks down entirely. Amador warned that silence tends to amplify panic rather than contain it.
“Nearly 80% of projects that suffer a hack never fully recover,” he said. “The primary reason is not the initial loss of funds, but the breakdown of operations and trust during the response.”
Related: Truebit exploit exposes smart-contract flaw behind $26M token mint
Most projects don’t survive even after fixing a major hack
Trust has become the most fragile asset in crypto. Alex Katz, CEO and co-founder of Web3 security firm Kerberus, said that even technically resolved incidents often mark the beginning of the end. “There are always exceptions, but in most cases a major exploit is a death sentence,” Katz said, noting that users leave, liquidity dries up and reputational damage becomes permanent.
While smart contract exploits once dominated headlines, recent losses increasingly stem from operational and human-layer failures. “Human error is clearly the weakest link in crypto security,” Katz said, explaining that most losses now come from users approving malicious transactions, interacting with fake interfaces, or unknowingly exposing their keys.
Earlier this month, a crypto user lost more than $282 million worth of Bitcoin (BTC) and Litecoin (LTC) in one of the largest social engineering attacks ever recorded in the crypto sector. The user was reportedly deceived by an attacker impersonating Trezor support, who tricked him into revealing their hardware wallet seed phrase.
Crypto-related hacks surged in 2025, with attackers targeting major platforms and individual wallets, driving total losses to $3.4 billion, the highest level since 2022. Just three incidents, including the $1.4 billion Bybit hack, accounted for 69% of all losses through early December.
“Beyond Bybit, we’ve seen a rise in similar attacks that bypass smart contracts entirely and exploit protocol vulnerabilities,” Amador noted.
Advances in artificial intelligence have only made those attacks more effective. Amador said social engineering campaigns can now scale rapidly, allowing attackers to send thousands of tailored phishing messages per day.
Related: The hidden risk of public WiFi: How a single approval wiped a crypto wallet
2026 could be crypto’s strongest year yet
Despite the grim statistics, crypto experts remain optimistic. Amador believes smart contract security is improving faster than ever, driven by better development practices, stronger audits and more mature tooling. “I think 2026 will be the strongest year yet for smart contract security,” he said, pointing to growing adoption of onchain monitoring, firewalling and threat intelligence.
However, the unresolved problem is response readiness. Amador stressed that teams should act decisively and communicate immediately when an incident occurs, even if the full scope is unclear. He claimed pausing protocols early is far less damaging than allowing uncertainty to spiral.
Magazine: How crypto laws changed in 2025 — and how they’ll change in 2026